error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

9
votes

I'm currently trying to test the implemented changes for achieving security with Encrypted Shuffle in Cloudera Hadoop Environment.

I've created the certificates and keystores and kept them in appropriate locations.

I'm testing TaskTracker's HTTPS port of 50060.

When I do a curl on that port, I get below error response.

ubuntu@node2:~$ curl -v -k "https://10.0.10.90:50060"
* About to connect() to 10.0.10.90 port 50060 (#0)
*   Trying 10.0.10.90... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

When I did check with open ssl client, i got below response

 ubuntu@node2:~$ openssl s_client -connect 10.0.10.90:50060
CONNECTED(00000003)
139749924464288:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

I'm not able to figure out what might be causing this issue ?

Is there something that I'm missing ?

PS : I've updated the ca-certificates.crt file and also kept the server .crt file under /usr/share/ca-certificates/mozilla

3
javasslhadoopopensslcloudera

3 Answers

6
votes

error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

It appears there is no SSL/TLS server listening on 10.0.10.90:50060. There is a server listening, its just not SSL/TLS.

I can duplicate it when connecting to my gateway over port 80 (rather than 443).

$ openssl s_client -connect 192.168.1.1:80
CONNECTED(00000003)
140735109476828:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 517 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

And if you use the -debug flag, you will see the HTTP in the response that OpenSSL is trying to interpret as SSL/TLS protocol data:

$ openssl s_client -connect 192.168.1.1:80 -debug
CONNECTED(00000003)
write to 0x7fbf58422b90 [0x7fbf58811800] (348 bytes => 348 (0x15C))
0000 - 16 03 01 01 57 01 00 01-53 03 03 64 1d 01 29 f0   ....W...S..d..).
...
0150 - 03 02 01 02 02 02 03 00-0f 00 01 01               ............
read from 0x7fbf58422b90 [0x7fbf58816e00] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
140735203164636:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
0
votes

To anyone that has this problem:

error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

My issue was with curl using ipv6 by default instead of ipv4. The end server wasn't configured appropriately to respond to ipv6, thus the same issue statement was observed. Make sure curl is using ipv4 or your server can do ipv6.

0
votes

I got this kind of error while running the Airflow web server service on https. By mistake I mentioned .key file path in property(key) file instead of .pem file path for enabling https.

Corrected the .pem file path instead of .key file path and working fine.